High severitycredentials
Power BI Refresh Error:
ADLSGen2ForbiddenError
What does this error mean?
ADLS Gen2 access denied (403 Forbidden) in ADF or Fabric. The pipeline identity lacks RBAC roles on the container, or the storage firewall blocks the IR.
Common causes
- 1The storage account has public network access disabled — the integration runtime is blocked and needs a private endpoint
- 2The storage account firewall is configured for selected virtual networks/IPs and the integration runtime's IP is not in the allowlist
- 3The service principal or managed identity is missing the required RBAC role on the storage account or container
How to fix it
- 1Check the storage account's Networking settings in the Azure portal
- 2If public network access is disabled: configure a managed virtual network Data Factory runtime and create a private endpoint to access the storage account
- 3If selected virtual networks and IPs are configured: add the integration runtime's public IP to the storage account firewall under Networking → Firewall rules; for Azure IR IP ranges, see the ADF documentation
- 4If using trusted Azure services in the firewall: switch to managed identity authentication in the copy activity
- 5Ensure the service principal or managed identity has at least 'Storage Blob Data Reader' for source operations or 'Storage Blob Data Contributor' for destination/write operations